SIM swapping is just getting out of hand: Rohit Maheshwari, Subex

SIM swapping or SIM cloning cases have been on the rise in recent times. This can be largely attributed to the growing digital footprint of consumers, allowing more personal data in digital form to be accessed by hackers, which forms the fundamental step in SIM swap.

The cyber cells of Police departments in cities like Kolkata, Bengaluru, and Delhi have reported several instances of SIM Swap' in recent times. In one of the recent cases involving SIM swapping, a man lost as much as Rs 93 lakh from his bank account. This fraudulent method is used by criminals to trick gullible smartphone users who end up losing money in a matter of minutes. This has affected mobile users, both in urban and rural areas.

Rohit Maheshwari, Head of strategy and products, Subex, discusses with Voice&Data on SIM Swapping continuing to be a prominent threat for customers and some solutions to mitigate it.

Few excerpts of the interaction:

Voice&Data: How is SIM swapping becoming a serious threat in banking and telecom?

Rohit Maheshwari: SMS based One Time Passwords (OTP) were born out of the need for securing customer accounts using multi-factor authentication. Accounts such as bank accounts, social media accounts, cloud storage, etc.

The proliferation of mobile phones has resulted in phone numbers becoming the preferred identity or primary identity and this has further fuelled the rise of OTP. But you need to bear in mind telcos never bargained for or volunteered for a phone number and OTP becoming a mechanism to protect sensitive user accounts.

In fact, telecom operators have always wanted to make it easy and frictionless for the customer to swap SIM when needed, as in case of upgrade from 3G to 4G SIM, or in case of SIM malfunctioning or in case of customer losing a phone or a SIM.

So, this combination of the rise of SMS OTP to protect customers and customer friendly initiative of telcos to make it easy to swap SIMs has attracted criminals and fraudsters. Today, it has become a significant menace and very bad publicity for telcos.

Voice&Data: How is SIM Swapping considered as an attack that happens at multiple stages?

 Rohit Maheshwari: SIM Swapping is a multistage multi-vector attack. It is usually not enough for a fraudster to swap a SIM. The fraudster also needs to gain access to personal data such as Name, Address, National ID which makes it possible for the fraudster to Swap SIM and data such as Account ID, Social Media ID, Bank ID which the fraudster eventually is targeting. So clearly personal data theft is the first step in this multi-stage attack.

Voice&Data: So, what are the steps consumers can take to stay protected from SIM swap?

Rohit Maheshwari: Consumer awareness is absolutely crucial. Steps consumers can take to prevent personal data theft include the following:

• Do not share it on social media, think twice before dumping documents without shredding into the garbage bin, write purpose and data on copies of IDs when sharing with service providers;
• Being vigilant and reporting back to the service provider in case your mobile connection stops working;
• Configuring alerts in case any of your accounts are logged into from a new device; and
• Reporting to the bank or social media service provider in case you notice unusual activity on your account.

Voice&Data: What are the steps telecom service providers take for preventing this fraud?

 Rohit Maheshwari: Telcos indeed take several preventative actions, which include:

• Insisting on physical presence with a photo ID or biometric authentication for SIM Swap. Not accepting SIM Swap requests made by calling customer care;
• Blocking SMS (Incoming and Outgoing) for the initial 24hours upon a SIM Swap;
• Alerting consumers alternate contact number or email ID upon any new SIM Swap request; and
• Providing banks and enterprises which rely on OTP an API based mechanism to verify if any SIM swap has occurred recently prior to sharing on OTP.